1. Field of the Invention
The present invention generally relates to computer networks and more specifically to advanced network content processing and network usage monitoring.
2. Description of the Related Art
Security threats have evolved dramatically over the last 10 years, moving from network-level, connection-oriented attacks to application-level, agent-based attacks. Conventional networking devices (firewalls) can deal with network-level packet processing; for example, conventional firewalls can stop packets that do not come from a valid source, and VPN gateways can encrypt packets on the fly, making it safe for them to traverse the Internet. But today's critical network threats, like viruses and worms, are embedded in the application-level contents of packet streams. Enormous processing power is needed to detect and stop these application-layer threats by extracting the content from multiple packets, reconstructing the original content, and scanning it for the telltale signs of attacks or for inappropriate content. Additionally, businesses or service providers may be held liable for illegal or inappropriate content originating within their networks, or for failure to detect and prevent the distribution of such content.
To address these security challenges, modern firewalls must offer application-level content processing in real time—especially for real-time applications (like Web browsing) at today's (and tomorrow's) increasing network speeds.
A firewall is typically implemented as a hardware/software appliance having a number of physical networking interfaces for the incoming and outgoing network traffic. Network traffic enters one of these interfaces and, after filtering and other appropriate processing, is routed to a remote host typically attached to a different physical interface.
In a firewall, processing of network traffic is performed in accordance with a set of specific rules which are also called “firewall policies”. The firewall policy dictates how the firewall should handle specific categories of network traffic, including, for example, network traffic associated with web browsing, email communications or telnet connections. Incoming traffic is matched against the rules in the list using traffic selectors as a key. Each firewall policy may specify one or more actions that the firewall must take for the specific category of network traffic. Exemplary rules include translating network addresses (NAT), requesting authentication, filtering banned words, blocking specific URLs, blocking transmission of specific file types, antivirus scans, blocking spam, logging, etc. The firewall policies collectively form a firewall configuration profile, which contains various parameters for configuring the firewall to process the network content. The firewall policies are usually created by the network administrator and are based on the information security policy of the respective organization.
Instant messaging and peer-to-peer protocols are becoming increasing common networking tools, both at home in the workplace. However, these new protocols may give rise to security vulnerabilities, both from new attacks and from user abuse. Unfortunately, existing firewalls are not well-suited to process content of instant messaging, peer-to-peer, e-mail, web browsing, and file sharing communications. Therefore, what is needed is a firewall system with an ability to effectively handle processing of content associated with instant messaging, peer-to-peer, e-mail, web browsing, and/or file sharing protocols.